Koobface Developers Modifies Botnet to Overcome Potential Elimination

As the industry experts try to degrade Koobface, to avoid the chances of elimination, authors of the malware strain have modified the virus.

Koobface distributes malware through phishing attacks on prominent social networking websites like Facebook and Twitter, said experts. Researchers of Kaspersky observed that activities of Koobface reduced in recent weeks. This made them believe that its developers are working on it to make it stronger because social networking websites attempt to knock off the threat.

Kaspersky experts have noticed that Command Control (C&C) servers of Koobface cleaned or shut down an average of thrice a day over the first two weeks of March 2010.On February 25, the number of control nodes steadily fell from 107 to 72 on March 8. Just two days later, on March 10, the number doubled up and reached 142.

Kaspersky's senior technology consultant, David Emm stated that these changes clearly indicates that apart from placing their malware, botnet gangs are also managing them like system administrators, as reported by MX Logic on March 11, 2010.

When considering the evolution of the geographical area of IP addresses which are used to commune with infected systems, another interesting aspect of Koobface C&C infrastructure can be seen.

Growing from 48% to 52%, the utilization of C&C servers hosted in the US is rising. At present, over half of these servers are hosted in the United States much ahead of any other country, which include Germany, Netherlands, Great Britain and Canada. Among these nations where C&C servers are hosted, Germany comes first with 8.48%, then comes Canada with 4.46%, with 3.57% is the Great Britain and finally Netherlands with just 3.13%.

Senior anti-virus researcher of Kaspersky Lab, Stefan Tanase, said that the manner in which the Koobface group secures its infrastructure is somewhat depicted by the latest happenings, as reported by HELP NET SECURITY on March 11, 2010.

He added that it can be concluded in this context that cyber goons are constantly supervising the status of their infrastructure. They don't want a steep fall in the number of C&C servers which would lead to a loosening of their grip on the botnet. When this number goes down significantly, these crooks appear to be ready with heaps of new servers.